Skip to content

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Company

About us
Blog
Learn
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Home
Vendors
Concrete Cms

Concrete CMS Vulnerabilities: CVEs, CISA KEV & Security Advisories

72 CVEs

Concrete CMS Vulnerabilities

CVE security advisories and vulnerability history for Concrete CMS.

72

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

1

Public exploits

With known exploit

4.4

Avg CVSS

2020–2026

Overview

Concrete CMS has 72 published CVE records since 2020, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 1 have a known public exploit. The average CVSS base score across scored CVEs is 4.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting Concrete CMS products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of Concrete CMS's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical1

High10

Medium28

Low32

1 additional CVE has no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

0

None of Concrete CMS's CVEs are currently listed in CISA's KEV catalog.

Public exploits

1

One of Concrete CMS's CVEs has a known public exploit available.

Most affected products

The Concrete CMS products with the most published CVEs.

concrete cms72 CVEs
concrete5/concrete527 CVEs
concretecms27 CVEs
concrete_cms1 CVEs

Common weakness types

The CWE weakness categories most often found in Concrete CMS CVEs. Follow any weakness for its full explanation.

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')20 CVEs
CWE-352Cross-Site Request Forgery (CSRF)14 CVEs
CWE-20Improper Input Validation8 CVEs
CWE-1275Sensitive Cookie with Improper SameSite Attribute6 CVEs
CWE-862Missing Authorization5 CVEs
CWE-639Authorization Bypass Through User-Controlled Key5 CVEs
CWE-502Deserialization of Untrusted Data2 CVEs
CWE-269Improper Privilege Management1 CVE

CNAs that assign these CVEs

The CVE Numbering Authorities that publish Concrete CMS CVE records.

ConcreteCMS71 CVEs
redhat1 CVEs

Disclosure activity by year

How many Concrete CMS CVEs were published each year.

2020

1

2024

17

2025

4

2026

50

Latest Concrete CMS CVEs

The most recently disclosed vulnerabilities affecting Concrete CMS.

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme
CWE-79
Low · CVSS 2.1
EPSS 0.0%2026-05-22
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog
CWE-639
Low · CVSS 2.3
EPSS 0.0%2026-05-22
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-22
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName
CWE-79
Low · CVSS 2.0
EPSS 0.0%2026-05-21
Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
CWE-918
Low · CVSS 2.1
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder
CWE-352
Low · CVSS 2.3
EPSS 0.0%2026-05-21

Track new Concrete CMS CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor Concrete CMS CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about Concrete CMS vulnerabilities.

How many CVEs does Concrete CMS have?

Concrete CMS has 72 published CVE records since 2020, including 54 in the last two years.

How many Concrete CMS CVEs are in CISA KEV?

None of Concrete CMS's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Which Concrete CMS products have the most CVEs?

The Concrete CMS products with the most published CVEs are concrete cms, concrete5/concrete5, concretecms, concrete_cms.

What are the most common weakness types in Concrete CMS CVEs?

Concrete CMS's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-352 (Cross-Site Request Forgery (CSRF)), CWE-20 (Improper Input Validation), CWE-1275 (Sensitive Cookie with Improper SameSite Attribute).

Are there public exploits for Concrete CMS vulnerabilities?

Yes — 1 of Concrete CMS's CVEs have a known public exploit.

How many critical Concrete CMS vulnerabilities are there?

Concrete CMS has 1 critical and 10 high-severity CVEs.

What is the average severity of Concrete CMS CVEs?

The average CVSS base score across Concrete CMS's scored CVEs is 4.4.

References

The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to
CNA directory: the CNAs that assign these CVEs

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track Concrete CMS vulnerabilities

Monitor new Concrete CMS vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Most affected products
Common weakness types
Assigning CNAs
Disclosure activity
Latest CVEs
Other vendors
FAQ
References